AgentReadyHomeAgent Listing

← Google Calendar MCP

Google Calendar MCP — agentic threat model

6.7AIVSS 6.7 · Medium

The Google Calendar MCP tool presents moderate-to-high risk due to its write capabilities (creating/deleting events and inviting external attendees) via OAuth. Without strict human-in-the-loop controls, a compromised or prompt-injected orchestrator could exploit this tool for calendar-invite phishing or data destruction.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.95Factor sum 2.7/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.60
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.50
Multi-Agent Interactions
0.30
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing describes an MCP tool rather than the foundation model itself. However, the model calling this tool is vulnerable to prompt injection, which could force unauthorized calendar modifications or spam invitations.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While the tool reads and writes Google Calendar data, the listing does not specify how this data is cached, embedded, or processed locally, leaving potential data exfiltration or lineage gaps unaddressed.

L3 · Agent Frameworks✓ mapped

The tool integrates via the Model Context Protocol (MCP). Insecure tool integration or lack of strict schema validation could allow an orchestrator to misuse the write/delete capabilities, leading to unintended calendar modifications.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of the MCP server and the storage mechanism for OAuth client secrets and user tokens are not detailed, posing risks of credential theft if poorly secured.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, rate limiting, or logging mechanisms to detect anomalous behavior such as mass event deletions or rapid external invitations.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool leverages OAuth for authentication and authorization. While this secures the connection to Google APIs, the broad write permissions granted to the agent create a compliance and security risk if not paired with fine-grained user consent.

L7 · Agent Ecosystem✓ mapped

As an MCP tool designed to be called by other AI agents, it is highly exposed to agent-to-agent trust abuse. A compromised upstream agent could leverage this tool to conduct calendar-invite phishing attacks against external organizations.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).